Connect & permissions reference

What exactly do you get access to?

The honest answer, per cloud. The first scan uses a read-only role you deploy from a published template. Every action below is a describe, list, or get — this page renders the actual list, so it can never drift from what we deploy.

AWS — read-only IAM role

81 actions · published as CloudFormation & Terraform

You deploy a role that trusts our account under an external id we generate per connection (prevents the confused-deputy problem). We hold only the role ARN and external id and re-assume it read-only on each sync — no long-lived credentials are stored.

81 read-only actions, parsed from the exact CloudFormation template we publish — this page is drift-guarded by tests.

Not ready to grant a role? Bring one month of CSV bill data — the Day-0 audit runs without credentials, inside the private beta.

Cost Explorer & billing

13 actions

Read spend, tags, commitment coverage, and AWS's own purchase recommendations — the numbers behind every figure.

ce:GetCostAndUsagece:GetCostForecastce:GetReservationCoveragece:GetReservationUtilizationce:GetSavingsPlansCoveragece:GetSavingsPlansUtilizationce:GetSavingsPlansUtilizationDetailsce:GetReservationPurchaseRecommendationce:GetSavingsPlansPurchaseRecommendationce:GetTagsce:GetDimensionValuesce:DescribeCostCategoryDefinitionce:ListCostCategoryDefinitions

Utilization metrics

3 actions

Read CloudWatch CPU (avg/p95/max) so rightsizing evidence is measured, not guessed.

cloudwatch:GetMetricDatacloudwatch:GetMetricStatisticscloudwatch:ListMetrics

Compute & storage inventory

11 actions

Describe EC2 instances, EBS volumes, Elastic IPs, NAT gateways, and snapshots for the idle-resource sweep and topology.

ec2:DescribeReservedInstancesec2:DescribeInstancesec2:DescribeInstanceTypesec2:DescribeVolumesec2:DescribeAddressesec2:DescribeNatGatewaysec2:DescribeSnapshotsautoscaling:DescribeAutoScalingGroupslambda:ListFunctionslambda:ListProvisionedConcurrencyConfigsapplication-autoscaling:DescribeScalableTargets

Database inventory

19 actions

Describe RDS, ElastiCache, OpenSearch, Redshift, and DynamoDB for rightsizing and idle detection.

rds:DescribeDBInstancesrds:DescribeDBClustersrds:DescribeReservedDBInstancesdynamodb:ListTablesdynamodb:DescribeTabledynamodb:DescribeTimeToLivedynamodb:ListTagsOfResourceelasticache:DescribeCacheClusterselasticache:DescribeReplicationGroupselasticache:DescribeReservedCacheNodeselasticache:ListTagsForResourcees:ListDomainNameses:DescribeDomaines:DescribeDomainses:DescribeElasticsearchDomaines:DescribeElasticsearchDomainses:ListTagsredshift:DescribeClustersredshift:DescribeReservedNodes

Object-storage configuration

7 actions

List buckets and read their lifecycle/tiering configuration (config only — never object contents).

s3:ListAllMyBucketss3:GetBucketLocations3:GetBucketTaggings3:GetBucketVersionings3:GetLifecycleConfigurations3:GetBucketIntelligentTieringConfigurations3:GetInventoryConfiguration

Organizations hierarchy

8 actions

Read the account/OU tree so multi-account spend rolls up. Degrades gracefully on member accounts.

organizations:DescribeOrganizationorganizations:ListRootsorganizations:ListOrganizationalUnitsForParentorganizations:ListAccountsForParentorganizations:ListAccountsorganizations:ListParentsorganizations:DescribeAccountorganizations:DescribeOrganizationalUnit

AWS-native optimizer findings

16 actions

Import AWS's own recommendations (Cost Optimization Hub, Compute Optimizer, Trusted Advisor) — read-only, only where you've opted in.

cost-optimization-hub:ListRecommendationscost-optimization-hub:GetRecommendationcost-optimization-hub:ListEnrollmentStatusescompute-optimizer:GetEnrollmentStatuscompute-optimizer:GetRecommendationSummariescompute-optimizer:GetEC2InstanceRecommendationscompute-optimizer:GetAutoScalingGroupRecommendationscompute-optimizer:GetEBSVolumeRecommendationscompute-optimizer:GetLambdaFunctionRecommendationscompute-optimizer:GetECSServiceRecommendationscompute-optimizer:GetRDSDatabaseRecommendationstrustedadvisor:ListRecommendationstrustedadvisor:GetRecommendationsupport:DescribeTrustedAdvisorCheckssupport:DescribeTrustedAdvisorCheckResultsupport:DescribeTrustedAdvisorCheckSummaries

Broad resource discovery

3 actions

One tagging-API sweep plus CloudFront so the infrastructure map covers more of the estate without per-resource describes.

cloudfront:ListDistributionscloudfront:GetDistributiontag:GetResources

Identity check

1 actions

Confirm which account the role landed in (sts:GetCallerIdentity) — no other identity access.

sts:GetCallerIdentity

Optional: Cost & Usage Report (CUR) access

Attached only if you point us at a CUR S3 bucket — it gives line-item-grade billing. Without it we use the Cost Explorer API above.

This is the only policy that can write, and only inside the CUR bucket you designate: Athena writes its query results (scratch output) there to run. It never writes to any other resource, and it reads only your billing-export files — not application data.

s3:GetObjects3:GetObjectVersions3:ListBuckets3:GetBucketLocationathena:StartQueryExecutionathena:StopQueryExecutionathena:GetQueryExecutionathena:GetQueryResultsathena:GetWorkGroupglue:GetTableglue:GetTablesglue:GetDatabaseglue:GetDatabasesglue:GetPartitionglue:GetPartitionsglue:BatchGetPartitions3:PutObjects3:AbortMultipartUploads3:ListMultipartUploadParts

Azure — service principal, reader roles

You register an app (“CloudJaeger Cost Reader”) and assign it two built-in Azure roles. Neither can write.

Cost Management Reader

Reads spend data via the Azure Cost Management query API.

Reader

Lists resources and reads utilization metrics for inventory and rightsizing. If Cost Management is unavailable, we still connect for inventory with Reader alone.

GCP — service account, viewer roles

Cost comes from your BigQuery billing export, not the Billing API. The service account gets read-only viewer roles and read-only OAuth scopes.

roles/billing.viewer

Confirm the billing account and locate the billing export (metadata only).

roles/bigquery.dataViewer

Read the billing-export dataset — the cost line items themselves.

roles/bigquery.jobUser

Run the read-only query that pulls the export.

roles/compute.viewer

List Compute Engine resources for inventory and idle detection.

roles/monitoring.viewer

Read utilization metrics for rightsizing evidence.

OAuth scopes

https://www.googleapis.com/auth/cloud-billing.readonlyhttps://www.googleapis.com/auth/bigquery.readonly

What CloudJaeger never touches

  • No write to your infrastructure — the read-only role describes, lists, and gets; it never creates, modifies, or deletes a resource. (The optional CUR add-on can write only Athena scratch into the CUR bucket you designate — see below.)
  • No application data — no database rows, no message queues, no object contents. (The optional CUR add-on reads only your billing-export files.)
  • No logs or secrets — no CloudTrail export, no Secrets Manager, no KMS key material.
  • No agents or code — nothing runs inside your account; we assume a role and call read APIs.
  • No standing credentials stored — for AWS we hold only the role ARN + external id and re-assume each sync.

Off-boarding & data lifecycle

Delete the role, service principal, or key any time — the next sync fails and the connection stops. That is full off-boarding, in your hands.

  • Delete the role (or service principal / key) any time — the next sync fails and the connection flips to error. That is full off-boarding. Security posture
  • Data retention, export, and deletion are covered in the Data Processing Agreement. Data Processing Agreement
  • What we collect and why is in the Privacy Policy. Privacy Policy
  • Controls, audit trail, and sub-processors are on the Trust & Security center. Trust & Security

Read-only first, deletable any second.

A founder reviews every request. Start with a read-only pilot and keep the findings report either way.